The Securities and Exchange Commission has implemented rules that direct public companies to divulge material cybersecurity incidents and report annually material information on cybersecurity strategy, risk management and governance.
The registrants should disclose and describe the material aspects of the cyber incident’s nature, scope and timing on Item 1.05 of Form 8-K within four business days, SEC said Wednesday.
These disclosures may be delayed in the event that the U.S. Attorney General determines that such a move would pose a risk to public safety or national security.
SEC will require registrants to state on Regulation S-K Item 106 their processes for identifying, managing and assessing material risks from cyberthreats and describe how their board oversees risks from such threats. The agency noted that such disclosures will be required in the annual report of a registrant on Form 10-K.
Foreign private issuers will also be required to disclose material cyber incidents on Form 6-K and cybersecurity risk management, governance and strategy on Form 20-F.
SEC said the final rules will take effect 30 days after publication of the adopting rules in the Federal Register.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler.
“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” added Gensler.
